Thorny issues, risky outcomes


21 July 2017


A couple of things caught my eye this week that invariably infuriated, vexed and just generally made me thankful I’ve got some holidays on the way.

The first was a piece by the superlative Lucy Kellaway for the Financial Times entitled “How I lost my 25-year battle against corporate claptrap”. In it, she bemoans here quarter-century-long battle with the absolute guff talked by many a business leader. I’ll not try to paraphrase here prose, simply go and read it, is worthwhile.

However, it put me in mind of our own battles within the IT industry with jargon, nomenclature and worse, when it comes to communicating the value of what we do.

“Clear, concise communication, without resorting to hyperbole, management speak, or indeed made-up words, is more necessary than ever as we try to grapple with the complex value propositions of ever-more sophisticated technologies, platforms, services and solutions”

Clear and concise
Clear, concise communication, without resorting to hyperbole, management speak, or indeed made-up words (my own particular bugbear), is more necessary than ever as we try to grapple with the complex value propositions of ever-more sophisticated technologies, platforms, services and solutions.

So when someone who appears to know what they are talking about, drops something into a sentence such as “performant”, “proactive”, or “irregardless”, my teeth begin to grate. When it is followed up by “actioning” something direct from a “learning”, well, I feel entirely justified in violent thoughts. Not only does it undermine the person’s intended point, it makes me question their authority, not only on the subject at hand, but on their right to free expression.

While I know we are particularly guilty of such crimes in the IT industry, I was just so glad to see someone else struggle so courageously with the same issue and express it so eloquently, that it gave me the strength to carry on regardless.

That said, another thing that piqued my interest was a report from Gartner that we, the industry that is, are falling back on old habits that similarly undermine credibility and ultimately harm the perpetrators and tarnish a whole sector within the industry.

Gartner reported that vendors are over-egging artificial intelligence (AI) claims for their products, to take advantage of the current “gold rush”, but risking spreading confusion. Not only that, the analyst says that the hyped claims may also lead to disillusionment as organisations adopt these products, and get a less than stellar return from their “AI” capabilities and so think the whole thing is vapour.

The most frustrating thing is that the term “AI” in this context could be substituted with almost any tech term from the last three decades and the same story would apply. Green technologies, virtualisation, cloud computing, one could even go back and the likes of ‘multimedia’, which could easily have been used here.

The IT industry seems unable to help itself from x-washing, where x is the latest technology craze. We green-washed, we cloud-washed and now it seems, we are AI-washing products. Will we never learn?

Cyber insurance
Another story that caught me, was around cyber insurance.

A group calling itself Cyence that “provides a comprehensive platform for the economic modelling of cyber risk” has been working with Lloyds of London to promote the benefits of cyber insurance, by trying to put realistic numbers on the fallout from incidents such as WannaCry and Petya and more.

Now, forgive me for being an old cynic, but one very much thinks that the more organisations have cyber insurance, the more will be liable to make a claim after an attack of the breadth of WannaCry.

In the same way we are given such examples as if every consumer that could afford one wanted to buy a car in China, the steel output of the entire world would be tied up for three years to meet demand, one thinks that if everyone hit by WannaCry had cyber-insurance that covered the damage, the cyber insurance industry would contract very quickly. There are predictions that it could be worth up to $14 billion by 2020!

While it is admirable that a group such as Cyence is trying to establish real figures for damage and impact, one cannot help feeling that cyber insurance is still an opaque, less than mature industry where people might be paying for services that might be even less understood than the risks they are attempting to mitigate.

Reasonable mitigation
An ENISA paper entitled “Cyber Insurance: Recent Advances, Good Practices and Challenges”, from November of 2016, says “Cyber insurance was created to address risk that cannot be reasonably mitigated by security measures. While it initially started in a limited form, it developed to cover more and more types of cyber risk. In comparison with other insurance sectors, cyber insurance appears to have a lower adoption rate, while the growth projections remain high.”

That sounds like a very open prospect in terms of what is covered and how. It is no wonder that an insurer of the stature of Lloyds would enlist the help of someone else to try to put figures on risks.

In its findings, the paper, which was survey-based, says “The core coverage by most insurers includes first and third-party risks, with less common coverage addressing business revenue (dependent or not), digital assets disruption, insider threat (of a non-intentional nature), intellectual property, reputational harms, and targeted attacks.”

Coverage exclusion
“Insurers offer extra coverage such as: forensics, fraud, legal costs, PR measures, and ransomware. The reported coverage exclusion around widespread non-targeted attacks, and third-party intrusion exposes a significant gap, since less than a quarter of organisations are assessing suppliers for cyber risk.”

It specifically identifies as challenges for insurers, in respect to pre-policy risk assessment, the lack of cyber-security incident data, the gathering of information on cyber security management, that customers are less likely to share any documentation and that there is uncertainty around accumulating risk.

With respect to all this, combined with the general unpredictability of broad-spectrum attacks, the fact that zero-days remain largely unknown until exploited, and the complex enterprise stacks of many organisations are often unique, and the number of unknown unknowns rises dramatically. This leaves one to wonder if the insurers can adequately assess risk, and if any policy actually covers the insured for the actual outcome, as opposed to some theorised scenario.


Read More:

Comments are closed.

Back to Top ↑